Splunk Search

Regex help required

SabariRajanT
Path Finder
Hi Team,
 
Can someone provide me the Regex for the below:
 
|search (UPN=*T@mail.eeir)
Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

if you could share a sample it's easier to help you!

Anyway, what do you need:

  • a regex to search all the events where there's the string "UPN=*T@mail.eeir",
  • the extraction of the UPN field?

If the first you can use:

| regex "UPN\=.*T\@mail\.eeir"

If the second, I need a sample.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

if you could share a sample it's easier to help you!

Anyway, what do you need:

  • a regex to search all the events where there's the string "UPN=*T@mail.eeir",
  • the extraction of the UPN field?

If the first you can use:

| regex "UPN\=.*T\@mail\.eeir"

If the second, I need a sample.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

ok, good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

SabariRajanT
Path Finder

Hi @gcusello 

Thanks for your response. The main gole is to ignore the Capital "T" as shown below in the UPN

|search (UPN=*T@mail.weir).

If you could provide the Query accordingly as per regex 101 that would be great.

Thanks,

Sabari

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

could share a sample?

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

sample - UPN=*t@cloud.weir

Required to remove above "t" and "T".

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

please, try this

| regex "UPN\=.*(T|t)\@mail\.eeir"

Ciao.

Giuseppe

0 Karma

SabariRajanT
Path Finder

@gcusello 

Thanks for your response.!

It doesn't work out well

When i use a Not operator like below. The "t" "T" should ignore

search NOT (UPN=*t@cloud.eeir)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

did you tried the search without using regex?

| search NOT (UPN=*t@cloud.eeir)

Splunk searches aren't case sensitive.

Ciao.

Giuseppe

SabariRajanT
Path Finder

hi @gcusello 

Yes did that.! But no luck. There are n no of id's with "T" "t". The regex part will help it out as i believe.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

as I said, I could help you more, if you share some sample of your data (the events not the rule!): data to take and data to exclude.

Ciao.

Giuseppe

SabariRajanT
Path Finder

Hi @gcusello 

Let me explain you the scenario in details:

when I query below, I get the UPN details with "T" as below. 

index=xxx | eval UPN=mvindex('userStates{}.userPrincipalName',0) |search UPN = "*T@mail.eeir"
|table UPN

xxx.mmm@mail.eeir
yyy.Mmmm@mail.eeir
zzz.rrrr@mail.eeir
cccc.eeeeT@mail.eeir

 

If you see above data xxx , yyy, cccT UPN data's  coming up. But I need to ignore "T" here and show the rest all UPN data like as below

xxx.mmm@mail.eeir
yyy.Mmmm@mail.eeir
zzz.rrrr@mail.eeir
cccc.eeee@mail.eeir

 

For the same am trying to use below query with regex command. But no luck regex is not working. 

index=graphsecurityalert | eval UPN=mvindex('userStates{}.userPrincipalName',0) |rex!=UPN = "*T@mail.eeir" |table UPN

if you provide the following rex will be great - |rex!=UPN = "*T@mail.eeir"

0 Karma

SabariRajanT
Path Finder

thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SabariRajanT,

please, try this regex:

| rex mode=sed field=UPN "s/(\w+\.\w+)T|t\@(.*)/\1\@\2/g"

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...